At a glance.
- US aims to attract the best and brightest in cybersecurity.
- VPN shuts down Indian servers to preserve user privacy.
- US Bureau of Industry and Security finalizes cybersecurity export ban.
US aims to attract the best and brightest in cybersecurity.
The need for cybersecurity professionals in the US is higher than ever, and New York Senator Kirsten Gillibrand has proposed one possible solution: a cyber academy. Gillibrand told Newsweek, “The idea of creating a National Cyber Academy is that it's a call to action to America's youth to ask them to serve the United States in the cyber capacity. One of the biggest challenges we have in the future is protecting the nation from a cyberattack and being able to win a cyberwar should one ever start." Under her proposal, scholars would be given the opportunity to earn an education in cybersecurity debt-free in exchange for five years of government service, the idea being that after a four years of schooling and experience working in government, their skills will be unmatched. Spokesperson for the Office of the Secretary of Defense Russell Goemaere noted that Gillibrand’s plan could successfully convince top talent to pursue careers in government instead of going to the private sector. “The U.S. Federal Government competes for the same limited supply of cyberspace talent as does the private sector, and oftentimes cannot compete for that talent based on higher compensation and workspace flexibilities offered by industry."
A recent report from the Cyberspace Solarium Commission echoes these sentiments, as it shows the cyber workforce is severely short-staffed. Commission Executive Director Mark Montgomery told the Washington Post, “We’re about two-thirds manned now. When you’re two-thirds manned, you clearly aren’t getting the job done…You can end up with an underperforming, unhappy, undertrained workforce.” The report recommends creating a specialized team of government human resources specialists focused solely on hiring federal cyber experts. The report also recommends increasing congressional funding for recruiting and retaining cyber workers, including putting more money toward CyberCorps, a Scholarship for Service program that recruits top cyber talent. Montgomery explained, “This will take years of implementation and attention to detail and tracing and tracking by the [national cyber director]. Then, five to seven years from now, we could have a stable, properly manned cyber workforce.”
VPN shuts down Indian servers to preserve user privacy.
ExpressVPN, a virtual private network provider registered in the British Virgin Islands, has shut down its servers in India. The move comes in response to the data storage demands laid out in the new cybersecurity directives issued by India’s Computer Emergency Response Team (CERT-In), which ExpressVPN says violate user privacy. Lithuania-based NordVPN has threatened to do the same if things don’t change in coming weeks, explaining that “there will be no other way to stay in India while preserving the privacy of our customers and integrity of our service.” Issued in April and set to take effect at the end of June, the CERT-In directives mandate VPN companies to maintain basic information about customers and subscribers, including names, IPs allotted, email addresses, and purpose of hiring the services, and VPN companies have expressed that the collection of such data would go against the very nature of their services. That said, it’s unclear exactly how far the Indian government will go in enforcement. Prasanth Sugathan, legal director at Software Freedom Law Center, told the Economic Times, “It needs to be seen how the government responds to this once the directions become operational. There could be penalties if they do not comply. The government could also decide to ban VPN providers who do not comply with the directions.”
US Bureau of Industry and Security finalizes cybersecurity export ban.
Following a window of public comment, the US Commerce Department’s Bureau of Industry and Security (BIS) has published the final revisions of its ban of cybersecurity exports from countries like China and Russia. “These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it,” the final rule reads. The Daily Swig explains that an early draft stated that a license would only be required for exports to countries where there are concerns about national security or weapons of mass destruction, but the final version corrects wording that BIS says might have “inadvertently” widened the scope of exceptions. A previous version garnered worries from the cybersecurity industry that the ban would deter the work of white hat cybersecurity researchers. Some industry members are still concerned the final version is unclear on certain aspects, such as whether the rule will control cybersecurity incident detection and monitoring software, but BIS plans to clarify any ambiguities with regular FAQs and updates over time. Founder and CTO of Bugcrowd Casey Ellis commented, “The good and clear thing here is that the BIS has listened to and actively worked to consider feedback from the security, research, and bounty hunter communities.”